Five key areas to focus on for secure remote working practices

Just a few years ago, remote working was something only the most progressive, hippest new Silicon Valley start-ups practiced. Now almost every organisation has been forced to shift their operations and infrastructure to a remote working model.

Normally that kind of shift would take months of planning. But it happened overnight.

No organisation is going to put efficient and highly secure IT infrastructure in place overnight without taking some shortcuts, missing a few tricks or making the odd minor mistake.

But even a minor mistake in remote working cyber security can lead to a major problem.

We ran through all these common errors in a webinar for The Chartered Institute of Management Accountants (CIMA) recently.

We identified threats to remote working – new and old.

And we looked at where businesses slip up with their IT planning, infrastructure and managed services.

Most importantly, we pinpointed five key areas of cyber security that every organisation should be focusing on, if they haven’t already.

1. Always use two factor authentication for any sensitive data

Any time a user tries to access any type of sensitive data, you should always have some kind of two factor authentication enabled.

That’s more than just a simple username login. More than a password. They can be guessed, they can be hacked.

Two factor authentication takes a known quantity – an email address or password – and adds an unknown, random quantity to that. Usually a code.

It’s increasingly common with internet banking and with other personal apps we use.

You and your employees should be protecting your business credentials and your business data the same way you protect your personal cash.

If a user tries to login with a new device, send a verification code to a previously known and trusted device. If a user tries to open a secure document with their username, send a code to their secure email address to ensure it is them.

If you get a request for information via an email, call to check it was genuine. If a call comes through, email to check they are genuine..

2. Audit your supply chains and remote working setups

Criminals will always look to exploit any weak links in your security fence, and they may find them outside of your organisation.

Just because you’ve put the time and effort into highly secure systems to protect data within your business, doesn’t mean your suppliers have done the same.

Look at IT providers as an example. We handle all your systems and infrastructure and often have unrestricted access to all of your data. But IT providers can start up overnight. They don’t need any official certification or professional training.

It’s your duty to check your IT providers adhere to the same high security standards as you do.

You likely share sensitive data with a number of providers in your supply chain, so take the time to audit them all.

For Data Protection Act compliance you need to check your data is secure at every point in the chain. It’s a legal obligation and it demonstrates credibility – you might find other organisations won’t work with you unless you can show your supply chain is secure.

This is your chance to bring every part of your business onto the same page, and make sure your suppliers’ standards are at the same high level as yours.

Use the time to audit all your remote working setups to make sure they work as they should – safe, secure and effective.

3. Review your IT infrastructure inline with your business plans

With this dramatic shift in working practices your old business plans have probably gone out of the window.

The rush to implement remote working has possibly also seen your organisation ‘take what they can get’, jumping at the first viable-looking solution without the due diligence and exploration you would normally apply.

So take a step back now things have settled down. Revisit your business plan. Does it align with your current setup and operations?

Is your IT infrastructure supporting your organisation in an efficient, productive and secure way, or can improvements be made?

The last thing you need now is for poor IT infrastructure and security to hold your organisation back.

4. Focus on organisation-wide training

Training, training and more training. But training is only effective if everyone in your organisation does it.

It comes back to the weakest link. If one member of staff hasn’t done any cyber security training and makes a simple mistake, criminals will exploit it instantly.

There are lots of options for cyber security training, from quick emails and courses offered by banks to more comprehensive on-site seminars.

We recommend the NSE 1 and 2 cyber security awareness courses – free for everyone and offering a solid foundation to build on.

The more training you and your team can do, the more cyber security awareness will become a habit, baked into everything you do.

And by training your users to use tools more securely and more effectively, you’ll also boost productivity.

5. Never change or add bank account details without a second form of verification

Finally, our golden rule. Never, ever, ever change any payment details without a second form of verification.

It’s an easy tactic for criminals. Spoof an email address, send an email to you – reportedly from your supplier – with an invoice attached, showing different bank account details.

You pay it. Your actual supplier doesn’t get paid. You’re out of pocket twice.

Or perhaps you’ve got a message from the boss asking you to urgently transfer funds for an essential job. They sound angry, so you get on it right away. You ask them about it later, and the boss says he never sent a message.

These can ALL be stopped with simple verification. No more invoice fraud, no more CEO spoofing.

If you receive any request to change or add bank account details – always double check.

If you get an email from a supplier, call their accounts team to double check.

If you get a text message, send an email to confirm.

Even using Whatsapp or Slack as that 2nd form of verification can help you stop this fraud.

—

Those are our five key areas to focus on to improve security with your remote working practices. Follow the guidance here and you will be making your organisation more secure from cyber attacks and helping all your employees remain vigilant against the ever-growing threats.